agorum Software XML External Entity Vulnerability in agorum core open
Vulnerability
A vulnerability allowing XML External Entity (XXE) attacks has been identified in agorum core open versions 11.9.2 and 11.10.1. This issue arises in the RSSReader endpoint, where attackers can exploit the vulnerability by sending crafted XML input to access sensitive data. The flaw is present in the 'desk4web' submodule of the 'agorumcore' application.
Impact
Exploitation of this vulnerability allows for unauthorized access to sensitive data by manipulating XML input to read arbitrary files on the server.
Reproduction
The vulnerability can be reproduced by sending a request to the RSSReader component with a crafted XML file that defines an external entity pointing to a local file. This can be done without authentication. Alternatively, in the Agorum Explorer component, an administrative user can upload an XML file, which low-privileged users can then execute by sending a request that includes the file's object ID.
Remediation
Users can upgrade to agorum core open versions 11.9.2 or 11.10.1.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.